The ‘security’ section is undefined

Average severity: High

Description

The security section has not been defined. This section specifies if your API requires authentication, either on global level for the whole API or for individual API operations.

Example

The security section is tightly coupled with the the securityDefinitions section. The security section could be missing because:

  • You forgot to define the securityDefinitions section altogether, leaving the API completely unprotected.
  • You defined the securityDefinitions section but not the security section. The definitions are not actually getting applied.
  • You defined the securityDefinitions section and the operation-level security section for some of the API operations. However, you did not define the security section on the global level for the whole API.

Possible exploit scenario

If you do not set the global security section, the API does not require any authentication by default. Anyone can use the API operations that do not have a security section defined. All they need to know is the URL for the API operation and how to invoke it.

This sometimes happens to internal APIs. These are often created only to be used inside the company web pages and mobile applications. No one expects any outsiders to know that the API exists, so developers do not spend time implementing security.

But  attackers can look at the code of the mobile or web application, or listen to the API traffic, and reverse-engineer how the API works. Once the attackers have figured this out, they can start using the API because it does not require any authentication.

Defining the security section only in individual operations is an error-prone approach. Authentication is not required unless the particular operation requires it. If you forget to define the security section for an operation, you leave it wide open.

Remediation

  1. Define the securityDefinitions section on the global level, and list the authentication methods that you plan to use. For example:
    "securityDefinitions": {
        "petstore_auth": {
          "type": "oauth2",
          "authorizationUrl": "https://petstore.swagger.io/oauth/dialog",
          "flow": "implicit",
          "scopes": {
            "write:pets": "Modify pets in your account.",
            "read:pets": "Read your pets list."
          }
        },
        "api_key": {
          "type": "apiKey",
          "name": "api_key",
          "in": "header"
        }
      },
  2. Use the security section on the global level to set the default authentication requirements for the whole API.
    If you have more than one definition in securityDefinitions and you want to apply all of them for each API call, use the following syntax (semantically AND):

    "security": [
      { "petstore_auth": [], "api_key": [] }
    ]

    If you want to apply only one of the definitions to an API call, use the following syntax (semantically OR)::

    "security": [
      { "petstore_auth": [] },
      { "api_key": [] }
    ]

You can add an exception to the security specified on the global level on the operation level as needed. This overrides the authentication requirements of the whole API. Simply add a separate security section to the operation in question.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy